LatchFlowAI Operations for Lettings
Trust & Security

Controls for human-supervised AI operations

Last updated: 10 June 2026

Operating principle

LatchFlow is designed as a managed operational layer, not an unsupervised replacement for a lettings team. High-risk work stays behind approval gates, and production workflows are launched with a clear rollback path.

Controls included in a production rollout

  • Human approval for low-confidence, legal, vulnerable-occupant, emergency, and spend-threshold cases.
  • Least-privilege access to connected inboxes, records, and workflow tools.
  • Audit logs for AI drafts, routing decisions, approvals, overrides, and write-back events.
  • Named workflow owners, escalation paths, and monthly operational review cadence.
  • Change control for prompts, routing rules, SOPs, and model or integration changes.

AI governance

Automations are scoped by workflow. Business rules are kept separate from prompt content, key decisions are logged, and override patterns are reviewed so the workflow improves without quietly taking on risky decisions.

Data boundaries

Before live data is connected, each client gets a clear scope covering source systems, permitted data, retention, deletion, subprocessors, and approval rules. The public dashboard is a sample preview and contains no real client data.

The current trust documentation is kept in the LatchFlow Trust Center, including the data-flow map, subprocessor list, and go-live checklist.

Website and lead-capture controls

  • Global HTTPS, anti-framing, MIME-sniffing, referrer, permissions, opener, and content-security headers.
  • Same-site JSON-only audit submissions with request-size limits and a hidden-field spam trap.
  • No browser-local retention of prospect contact details or notes after a booking attempt.
  • Vercel edge rate limiting is configured for the current audit-request endpoint and must be reverified after hosting or route changes.

What is not claimed

We do not currently claim SOC 2, ISO 27001, Cyber Essentials, or official vendor partnership certification. If your organisation requires a specific assurance standard, we'll agree that requirement before live deployment.

Security contact

A dedicated security mailbox is not configured yet. Please do not submit sensitive vulnerability details through the booking form.